Lightweight Intrusion Detection of Rootkit with VMI-Based Driver Separation Mechanism |
Cui, Chaoyuan
(Institute of Intelligent Machines, Hefei Institutes of Physical Science, Chinese Academy of Sciences Hefei)
Wu, Yun (Institute of Applied Technology, Hefei Institutes of Physical Science, Chinese Academy of Sciences Hefei) Li, Yonggang (Institute of Intelligent Machines, Hefei Institutes of Physical Science, Chinese Academy of Sciences Hefei) Sun, Bingyu (Institute of Intelligent Machines, Hefei Institutes of Physical Science, Chinese Academy of Sciences Hefei) |
1 | Bhushan Jain, Mirza Basim Baig, Dongli Zhang, Donald E. Porter and Radu Sion, "Sok: Introspections on trust and the semantic gap," in Proc. of The 2014 IEEE Symposium on Security and Privacy, pp.605-620, May 18-21,2014. |
2 | Pearce M, Zeadally S and Hunt R. "Virtualization: Issues, security threats, and solutions," ACM Computing Surveys (CSUR), vol.45, no.17, pp.94-111, February, 2013. |
3 | Laniepce S, Lacoste M, Kassi-Lahlou M, et al., "Engineering intrusion prevention services for iaas clouds: The way of the hypervisor," in Proc. of the 2013 IEEE Seventh International Symposium on Service-Oriented System Engineering, pp.25-36, March 25-28, 2013. |
4 | Egele M, Scholte T, Kirda E, et al., "A survey on automated dynamic malware-analysis techniques and tools," ACM Computing Surveys (CSUR), vol.44, no.6, pp.1-42, February, 2012. |
5 | Davis M,Bodmer S and Lemasters A,"HACKING EXPOSED MALWARE AND ROOTKITS," McGraw-Hill Osborne Media, 2009. |
6 | McAfee Labs Threat Report,2015.Available: http://www.mcafee.com/cn/resources/reports/rp-quarterly- threat-q1-2015.pdf. |
7 | Internet Security Threat Report, vol.20, 2015. Available:https://www4.symantec.com/mktginfo/ whitepaper/ISTR/21347932GA-internet-security-threat-report-volume-20-2015-social v2.pdf. |
8 | Garfinkel T, Rosenblum M., "A Virtual Machine Introspection Based Architecture for Intrusion Detection," in Proc. of The Network & Distributed Systems Security Symposium, pp.191-206, 2003. |
9 | Vasilomanolakis E, Karuppayah S, Muhlhauser M and Fischer M, "Taxonomy and Survey of Collaborative Intrusion Detection," ACM Computing Surveys, vol.47, no.55, pp.55-88, July, 2015. |
10 | Kabiri P, Ghorbani A, "Research on Intrusion Detection and Response: A Survey," International Journal of Network Security, vol.1, no.2, pp.84-102, September, 2005. |
11 | LKCD Linux Kernel Crash Dump[EB/OL]. Available:http://lkcd.sourceforge.net/. |
12 | Jiang X, Wang X, Xu D, "Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction," in Proc. of The 14th ACM conference on Computer and communications security, pp.128-138, 2007. |
13 | Pfoh J, Schneider C, Eckert C, "A formal model for virtual machine introspection," in Proc. of The 1st ACM workshop on Virtual machine security, pp.1-10, 2009. |
14 | Carbone M, Conover M, Montague B, et al., "Secure and Robust Monitoring of Virtual Machines through Guest-Assisted Introspection," Research in Attacks, Intrusions, and Defenses, vol.7462, pp.22-41, 2012. |
15 | Graziano M, Lanzi A, Balzarotti D, "Hypervisor memory forensics," in Proc. of International Workshop on Recent Advances in Intrusion Detection, vol.8145, pp.21-40, 2013. |
16 | Jones S T, Arpaci-Dusseau A C, Arpaci-Dusseau R H, "VMM-based hidden process detection and identification using Lycosid," in Proc. of The fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pp. 91-100, 2008. |
17 | Xiong H, Liu Z, Xu W, et al., "Libvmi: a library for bridging the semantic gap between guest OS and VMM," Computer and Information Technology (CIT), in Proc. of The IEEE 12th International Conference on IEEE, pp.549-556, 2012. |
18 | Hay B, Nance K," Forensics examination of volatile system data using virtual introspection," ACM SIGOPS Operating Systems Review, vol. 42, no.3, pp.74-82, 2008. DOI |
19 | Jones S T, Arpaci-Dusseau A C, Arpaci-Dusseau R H, "Antfarm: Tracking Processes in a Virtual Machine Environment," in Proc. of The 2006 USENIX Annual Technical Conference, pp.1-14, 2006. |
20 | Dolan-Gavitt B, Leek T, Zhivich M, et al.. "Virtuoso: Narrowing the semantic gap in virtual machine introspection," in Proc. of The 2011 IEEE Symposium on Security and Privacy, pp.297-312, May 22-25, 2011. |
21 | Fu Y, Lin Z., "Space traveling across vm: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection," in Proc. of the 2012 IEEE Symposium on Security and Privacy, pp.586-600, May 20-25, 2012. |
22 | ROBERT L. Linux Kernel Development,New York: Mac Millan Computer Publication, 2005. |
23 | The Xen Project Power. [online] Available: http://www.xenproject.org/ |
24 | KVM. [online] Available: http://www.linux-kvm.org/page/Main Page |
25 | QEMU. [online] Available: http://wiki.qemu.org/Main Page |
26 | Suneja S, Isci C, De Lara E, et al., "Exploring VM Introspection: Techniques and Trade-offs," Acm Sigplan Notices, vol. 50, no.7, pp.133-146, 2015. DOI |
27 | Cui C, Wu Y, Li P and Zhang X., "Narrowing the semantic gap in virtual machine introspection," vol.36, no.8, pp.31-37, 2015. |
28 | Adore-ng. [online] Available: http://stealth.openwall.net/rootkits/ |
29 | KBeast. [online] Available: https://packetstormsecurity.com/files/108286/ipsecs-kbeast-v1.tar.gz |
30 | Suterusu. [online] Available: https://github.com/dschuermann/suterusu |